github.com/Heebron/moby@v0.0.0-20221111184709-6eab4f55faf7/oci/caps/utils_linux.go

github.com/Heebron/moby@v0.0.0-20221111184709-6eab4f55faf7/oci/caps/utils_linux.go (about)

     1  package caps // import "github.com/docker/docker/oci/caps"
     2  import (
     3  	"sync"
     4  
     5  	ccaps "github.com/containerd/containerd/pkg/cap"
     6  	"github.com/sirupsen/logrus"
     7  )
     8  
     9  var initCapsOnce sync.Once
    10  
    11  func initCaps() {
    12  	initCapsOnce.Do(func() {
    13  		rawCaps := ccaps.Known()
    14  		curCaps, err := ccaps.Current()
    15  		if err != nil {
    16  			logrus.WithError(err).Error("failed to get capabilities from current environment")
    17  			allCaps = rawCaps
    18  		} else {
    19  			allCaps = curCaps
    20  		}
    21  		knownCaps = make(map[string]*struct{}, len(rawCaps))
    22  		for _, capName := range rawCaps {
    23  			// For now, we assume the capability is available if we failed to
    24  			// get the capabilities from the current environment. This keeps the
    25  			// old (pre-detection) behavior, and prevents creating containers with
    26  			// no capabilities. The OCI runtime or kernel may still refuse capa-
    27  			// bilities that are not available, and produce an error in that case.
    28  			if len(curCaps) > 0 && !inSlice(curCaps, capName) {
    29  				knownCaps[capName] = nil
    30  				continue
    31  			}
    32  			knownCaps[capName] = &struct{}{}
    33  		}
    34  	})
    35  }